You are viewing a free preview of this lesson.
Subscribe to unlock all 10 lessons in this course and every other course on LearningBro.
Memory forensics is the analysis of a computer's volatile memory (RAM) to extract evidence that exists only while a system is running. Unlike disk forensics, memory forensics captures data that is lost when a system is powered off — including running processes, network connections, encryption keys, and injected malware code.
Volatile memory contains evidence that may never be written to disk:
| Evidence Type | Example |
|---|---|
| Running processes | A malicious process that has no file on disk (fileless malware) |
| Network connections | Active connections to command-and-control (C2) servers |
| Encryption keys | AES keys, BitLocker recovery keys, TrueCrypt/VeraCrypt keys loaded in memory |
| User credentials | Plaintext passwords, NTLM hashes, Kerberos tickets |
| Clipboard data | Recently copied text or images |
| Command history | Commands executed in terminal or PowerShell sessions |
| Injected code | Malware injected into legitimate processes via DLL injection or process hollowing |
| Chat messages | Decrypted messages from encrypted messaging applications |
| Registry hives | In-memory registry data that may differ from on-disk hives |
Subscribe to continue reading
Get full access to this lesson and all 10 lessons in this course.